[hawkharris]

We should stop using the term "password" and start emphasizing passphrases. A full sentence is much easier to remember, yet harder to crack, than a shorter, cryptic password. Or, as XKCD put it: http://xkcd.com/936/

There's a widespread misconception that words are always bad because of dictionary attacks, but that concern is moot if you use unique words or simply use a long sentence. A major advantage of sentences is that, because they're memorable, you can more easily use a different password for every site.

[RussianCow]

I completely agree, but too many websites put upper limits on the password length (which is completely idiotic) to be able to do this in practice.

[hawkharris]

I agree. It is frustrating when websites place arbitrary limits on characters in a passphrase. It's even more frustrating when they add specific rules (e.g. must use at least one number) that actually lower the number of possible combos in the string.

[tombrossman]

The worst annoyance for me is when they accept my 32+ character password - which I generate and paste from a password manager - and then they silently truncate it to a shorter length! No error, nothing. I remember hearing about some services that did this but the longer passwords still worked, which gave users a false sense of security.

What I run into more frequently is that I have to click the 'Forgot password' link and reset it. Then I cross my fingers and wait to see if they email it back in plain text (this is unforgivable) so I can count the characters and learn what the max length is that way.

[l-p]

Well, how would they fit the passwords in the database if there was no limit? =)

[joshstrange]

Please tell me this is sarcasm [0]. I assume from the emoticon that it is.

[0] http://en.wikipedia.org/wiki/Poe's_law

[sbov]

Just truncate to the first 10 characters of course.

[unfamiliar]

> but that concern is moot if you use unique words

You could say the same thing about passwords using random characters. The problem isn't getting people to remember them, it's getting people to use random passwords/unique words in the first place. Telling people to "use a long sentence" will just result in them picking common sentences most of the time like "To be or not to be" or "Live long and prosper".

[hawkharris]

Well, let's say you have a 5-digit password made up of letters and numbers. That's 60466176 combinations.

Now let's say you have a 4-word passphrase. There are about 120,000 words in English. There may be more if you include derivatives of words. That includes 2.0736e+20 combinations, not considering the entropy introduced by spaces between words or punctuation marks.

That's just to demonstrate the power of passphrases...but it's not quite a fair comparison; no one has such an expansive vocabulary. So, finally, let's assume that a dictionary attack includes 20,000 of the most commonly used words, and all of the user's words are common, by this standard.

The result is still 1.6e+17 -- again, not including spaces or punctuation: significantly more than an alphanumeric password.

[peterwwillis]

It really doesn't matter how much entropy exists because password crackers do not use linear keyspace searches, they use advanced heuristics to guess the most likely possibilities first. The major flaw in passwords is that humans choose them and humans are fairly predictable.

If a site generates a password for the human it would result in a more even distribution of randomly-generated passphrases and reduce passphrase re-use across different sites. The human could then write it down or memorize it (or record it in their password manager, which defeats the purpose of using passwords entirely).

Passwords are mostly dead at this point, and more two-factor service providers need to pop up to prevent over-reliance on passwords. http://twofactorauth.org/

[ufmace]

I think even the 20k most common estimate is way high. Think up some words yourself, and look them up in a frequency list. Most of the stuff I came up with of the top of my head was around 4-6k down the list. Look down to 20k and you get stuff like decorum, decked, daylights, daybreak, etc. When was the last time you heard anybody use those in a conversation?

I bet that with a little work, you could come up with a list a few thousand long that would get most of the passwords people come up with like that.

For my memorable passwords, I switched to using [0] pass phrase generator, which comes up with much rarer words than I do off the top of my head.

[0] http://www.fourmilab.ch/javascrypt/pass_phrase.html

[1] http://www.wordandphrase.info/frequencylist.asp

[2] http://en.wiktionary.org/wiki/Wiktionary:Frequency_lists

[Terr_]

> There are about 120,000 words in English [...] That includes 2.0736e+20 combinations

You forgot using common sense: The number of words most people will actually choose to use is far fewer.

[hawkharris]

It sounds like you stopped reading my comment after the first paragraph. I later accounted for the reality that people have limited vocabularies.

[sejje]

It's pretty unfair to compare against a 5-digit password.

[OscarCunningham]

Not really. The question was whether words are more or less secure for a given level of ease of memorisation. I'd say 5 random characters are about as easy to memorise as 4 random words.

[CamperBob2]

No, we should come up with something that works better than either, and is more usable. Passwords suck. Does anyone here seriously think we'll still be using them 50 years from now?

[yeukhon]

I see no difference behind the glory.

Why? Once you changed the word "password" to "passphrase", and get rid of those insane password requirements (must contains 1 upper case, 1 lower case, up to X length, 1 symbol, must not repeat same character twice or consecutively, etc), people start to use passphrase. But with enough attacks, you will build a passphrase table and people who use passphrase then will use the same passphrase on multiple sites which means it is the same as password and then site developers will come out and say "we will implement additional requirements - at least this length with these complexity".

A password which is 12 chars long and complex enough is hard to break. The problem is that people use the same password and credentials gets stolen every day. Can you trust random forums today running your password?

[JTxt]

I agree! I've been using passphrases for about 12 years, but in this form:

Ia! Ibupfa1y,bitf:

(It's the first letter of every word in that sentence.)

A sentance relevant to me that also refers to the site is easier for me to remember than random words. But perhaps I could make it longer... Use the kxcd idea too.

The entropy is huge unless/until everyone starts making 3 word passphrases the same way with very common words.

There can also be dictionary attacks on common passphrases, especially after a large site is compromised.

Lately I've been changing it up by offsetting my fingers on the keyboard.

Unfortunately each password/phrase input has different requirements and limits, and there's many different confusing help texts for explaining it. And it's frustrating to find out the limits after committing to memory and submitting.

What's a good, plainly written ux standard that we can advocate?

[tnorthcutt]

Using a password manager

[JTxt]

Yes, even better.

Can you recommend a password manager that works on all browsers/devices that you trust?

I have not found that yet, so I use passphrases customized to the site.

Edit: Also fundamentally it means that to access a single site from a compromised device, I'm potentially giving a nice list of all of my credentials.

[mikestew]

> Can you recommend a password manager that works on all browsers/devices that you trust?

1Password works on iOS, Android, and Mac (as confirmed by me) and they claim Windows, too. Browser-wise, I can confirm Chrome and Safari. That works for me, as it covers all of my use cases. YMMV, and it most certainly will if you're running Linux.

Downside: good $DEITY is it pricey by the time you cover all of your mobile devices and desktops. The amount of hassle it saves me probably pays for it, but covering all platforms at my house is bumping up against $100 (not including a couple of paid upgrades along the way).

[tombrossman]

I can recommend KeePassX.

It's in the Debian & Ubuntu repositories. It is also in the F-Droid repository for Android mobiles, so you can install and update easily from an AOSP ROM. All of the above are free and open-source which helps quite a bit with establishing trust. If you are among the majority using Windows or Mac it works there, too.

Sync it between devices by storing its (by default encrypted) database in a service like ownCloud or Dropbox.

[rikkus]

Google Sheets

[tempestn]

One problem with this is that most people are typing passwords on phones now, so the longer they are, they more annoying they are to type in. (Although I suppose word completion would help with a passphrase. Although for security it probably shouldn't be enabled for password fields.) Anyway, the real solution is a password manager with unique random sequences of characters for passwords.

Perhaps Microsoft, Apple, and Google could get together to build (or buy and open source) a password manager that would be integrated with their various platforms, for the common good. (I realize solutions already exist, but this would make it much more likely that the general public would use it.)